Besides all the technology we talked about in the last two blogs that examined the network and application layers of the LAN, this next section is arguably the most important. Giving your users a proper security education can limit any of these technologies having to be used in the first place. If they’re not going to bring in the threats and are equipped with the knowledge to protect themselves, it’s a big win for everyone.
Empower your users with security training – Make sure your users are up on the latest trends and threats on the Internet. Giving them the power and education will save you hours of frustration later on. The key is making sure they know you’re there and that you’re on their side. They need to understand your goal is NOT to be big brother watching everything they’re doing – it's important for them to understand that you’re there to help secure the company and keep them safe. Create a relationship with them and run contests regarding information security, send out questionnaires or even surveys as to what they’d like to see in your training. Make them more involved with the program too.
Train them often early and often – Offer training in multiple formats because everyone learns differently - face-to-face, webinars, written material, etc. Send out mandatory training that the users will have to take before coming into the company and every year annually. (Not all training should be enforced as you want users to WANT to get trained, but you have to enforce some of it to catch those users that aren't interested. Who knows… they might actually learn something.)
Communicate – Hang up posters around the office with security phrases. Make sure this is part of their corporate culture and maybe they’ll think twice before doing something potentially dangerous on the internet and to your company.
Make it fun – Put the training to the test, this is the fun part. Send out fake phishing emails, leave USB or badges around the office, call into user desk phones and try to get information out of them. This is the barometer to determine if they were listening. Also, don’t beat anyone up if they fail, this is a company wide effort. If one group doesn’t do well, they might all need additional training. This doesn’t mean we single people out, but if a few people in the group had issues, you can be sure that there are others who need training.
These three sections are just the tip of the iceberg when it comes to securing your LAN, but it’s a start. By applying a few of these areas into your network will assist with a strong security posture which you can continually add upon. The key is to add all three areas to create a layered approach. If you only install one area of these suggestions you’ll leave yourself open to attacks from a different angle. Try to enforce each area so that you have a well-rounded security posture around your LAN.